Good day, we are thinking of moving many servers up to Azure (behind the curve yes), and Im thinking of the best way to connect into our Azure VNET. The most reasonably cost effective and best performance.
I think many would say use the Azure VPN Gateway, but is that really the best option? Like Azure has a build in, basic load balancer, but is that the same, or better than a dedicated F5 load balancer?
What would give us the most throughput with the lowest latency? An option would be something like a Paloalto VM, but they still use an IPSec VPN, which by todays standards is ancient tech, and not super efficient.
I like the claims and stories around wireguard. Is that a reasonable option? Has anyone seen or done any testing around that?
I’d be curious about creating even a simple clean linux VM with azure boost and putting wireguard (or tailscale) and then having some kind of hardware at the office that creates a dedicated tunnel (hopefully with hardware acceleration) as well.
Or is the default Azure VPN Gateway the best in terms of performance?
Using a standalone VPN device, such as a Palo Alto, will definitely give you better performance and more features…but it will be considerably more expensive than using the Azure VPN Gateway.
So, the logical questions are:
What kind of connectivity do you actually need for this? Site-to-site? User VPN? etc.
they still use an IPSec VPN, which by todays standards is ancient tech
IPSec VPN is still an absolute standard in the enterprise space. What do you think that the Azure VPN gateway uses? What do you think underpins most (if not all) SD-WAN setups?
Azure has a build in, basic load balancer, but is that the same, or better than a dedicated F5 load balancer?
It doesn’t have the functionality of a full blown load balancer such as an F5. It only does layer 4 (TCP/UDP), it doesn’t do any SSL/TLS termination, it is a simple passthrough load balancer.
It all depends on what you already have on-prem, sure you could do wireguard, but why not just terminate an IPSec tunnel from your existing on-prem gateway to the Azure VPN gateway?
I would always the pick the Azure VPN gateway, because of the following reasons:
You will never need to update it
It’s native Azure and easy to configure
You can have high availibilty, depending on the SKU
It’s easy to upgrade to higher SKU
People always forget the costs of maintaining a solution, our time is not free.
But why would you want to connect to Azure anyway, what is the goal? If you want to just put VM’s in Azure (like your VPN appliance) it’s not going to be cost effective to use Azure.
I see some posts that other solutions should have more features, performance and latency, but what are those claims based on?
I have done a good few integrations of Palo Alto and Azure. Terminate your VPN on Azure. Use your firewall to inspect East/West/North/South traffic in Azure (you said you had a VM-Series). If you have two, use a load balancer, if its a single firewall, theres no need. This is a very solid design - https://www.paloaltonetworks.sg/resources/guides/azure-transit-vnet-deployment-guide
If you dont want to use Palo Alto, you dont have to. The architecture remains the same whether its fortigate etc.
To OP, VPN gateway is a pretty good value. We happen to use NVA to handle the site-site connections as well as client VPN, partly because that’s what we have at each branch and we know how it works. I’m sure I’ll get flamed, but it’s Meraki, and believe it or not it’s actually cheaper than the VPN Gateway.
Its the standard yes, but its also 25+ year old tech. Is it the best? Other tech has evolved, so its good to ask about other possibilities rather than stick with “thats what we’ve always done”.
The load balancer was just a rhetorical question.
The question is, is a classic IPSec tunnel the best option for performance, and future proof security. Wireguard uses faster, stronger, and more efficient encryption, so are there good options there yet? One thing I’ve learned is that it seems theres always something new that I havent heard of yet, and often its better than the standard.
A lot of Microsofts offerings are good base tools, but companies can build a good business by building highly specialized versions of those tools.
Perhaps you’d be best off with Palo Alto SD WAN to connect everything together. A canned solution which wouldn’t require you to get too deep in the weeds of configuration.
It’ll be expensive.
Otherwise, it’s just route-based VPNs (VTIs) and BGP.
All decent enterprise equipment has hardware acceleration for IPSEC, not for Wireguard.
When you have hardware acceleration, IPSEC will be faster than Wireguard.
You could look at Meraki and run a vMX in azure to have a complete sd-wan setup between your branches and azure. I’ve set that up for quite a few clients. You could also look at something like Cisco SecureAccess and have that facilitate your connections, especially if you are looking to move to ZeroTrust framework.
Azure VPN gateway can do everything that you want and will be the cheapest solution. IPsec and BGP are all part of gateway 1 license.
Fortigate would be my best choice. Simple and easy to use and you don’t need an sdwan license like Palo Alto. Comes in pay-as-you-go in Azure market place or BYO license.
What evolved from IPSec? IPsec hasnt really changed much. I think they’ve added a few stronger encryption variants, but just by increasing key length. Still the same algorithms.